Hi Tal!
For the ACL entries you just need to supply a dictionary of entries with the key being the sequence number and you should be able to put as many entries as you'd like. I typically have a
variable file with the entries defined and then just pass that variable into the task.
For example my variable file
ipv4_acl_entries.yml :
v4_acl_entries:
'1': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: tcp,
src_ip: 10.10.12.12/255.255.255.255}
'10': {action: deny, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: sctp,
src_ip: 10.10.12.12/255.255.255.255}
'10000': {action: permit, count: true, dst_ip: 10.60.20.2/255.255.255.0, protocol: any,
src_ip: 10.60.30.2/255.255.255.0}
'11': {action: permit, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: tcp,
src_ip: 10.10.12.12/255.255.255.255}
'12': {action: permit, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: pim,
src_ip: 10.10.12.12/255.255.255.255}
'13': {action: permit, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: icmp,
src_ip: 10.10.12.12/255.255.255.255}
'14': {action: permit, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: pim,
src_ip: 10.10.12.12/255.255.255.255}
'15': {action: deny, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: icmp,
src_ip: 10.10.12.12/255.255.255.255}
'16': {action: permit, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: ospf,
src_ip: 10.10.12.12/255.255.255.255}
'17': {action: permit, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: icmp,
src_ip: 10.10.12.12/255.255.255.255}
'18': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: tcp,
src_ip: 10.10.12.12/255.255.255.255}
'19': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: sctp,
src_ip: 10.10.12.12/255.255.255.255}
'2': {action: permit, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: esp,
src_ip: 10.10.12.12/255.255.255.255}
'20': {action: deny, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: igmp,
src_ip: 10.10.12.12/255.255.255.255}
'21': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: ospf,
src_ip: 10.10.12.12/255.255.255.255}
'22': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: ah,
src_ip: 10.10.12.12/255.255.255.255}
'23': {action: deny, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: udp,
src_ip: 10.10.12.12/255.255.255.255}
'24': {action: deny, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: sctp,
src_ip: 10.10.12.12/255.255.255.255}
'25': {action: permit, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: igmp,
src_ip: 10.10.12.12/255.255.255.255}
'26': {action: permit, count: true, dst_ip: 10.10.12.11/255.255.255.255, protocol: igmp,
src_ip: 10.10.12.12/255.255.255.255}
'27': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: tcp,
src_ip: 10.10.12.12/255.255.255.255}
'28': {action: deny, count: false, dst_ip: 10.10.12.11/255.255.255.255, protocol: tcp,
src_ip: 10.10.12.12/255.255.255.255}
And then in your playbook you would only need to do the following:
---
- hosts: all
roles:
- role: arubanetworks.aoscx_role
vars_files:
- vars_files/acl_entries.yml
tasks:
- name: Configure IPv4 ACL
aoscx_acl:
name: ipv4_acl
type: ipv4
acl_entries: "{{v4_acl_entries}}"
Would you please output the error you're receiving with the multiple entries?
------------------------------
Tiffany Chiapuzio-Wong
------------------------------
Original Message:
Sent: Feb 11, 2021 12:51 AM
From: Tal Madari
Subject: AOS-CX configure ACL using Ansible
Hi,
I'm trying to write a playbook for configuring ACL on AOS-CX, this is the PB:
---
- hosts: all
roles:
- role: arubanetworks.aoscx_role
tasks:
- name: Configure IPv4 ACL
aoscx_acl:
name: ipv4_acl_example
type: ipv4
acl_entries: {
'10': {action: deny,
count: true,
log: true,
dst_ip: 10.255.254.0/255.255.255.0,
protocol: icmp,
src_ip: any
}
}
- name: Configure IPv4 ACL
aoscx_acl:
name: ipv4_acl_example
type: ipv4
acl_entries: {
'20': {action: permit,
count: true,
log: true,
dst_ip: 10.255.254.0/255.255.255.0,
protocol: tcp,
port: 80,
src_ip: any
}
}
- name: Configure IPv4 ACL
aoscx_acl:
name: ipv4_acl_example
type: ipv4
acl_entries: {
'30': {action: permit,
count: true,
log: true,
dst_ip: 10.255.254.0/255.255.255.0,
protocol: tcp,
port: 443,
src_ip: any
}
}
- name: Configure IPv4 ACL
aoscx_acl:
name: ipv4_acl_example
type: ipv4
acl_entries: {
'40': {action: deny,
count: true,
log: true,
dst_ip: any,
protocol: ip,
src_ip: any,
}
}
Is there any way to configure several entires in one task instead of one to each entry?
I managed to add the 'log' statement, by I can't find how can I add L4 port?
------------------------------
Tal Madari
------------------------------